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Abstract. We present algorithms for computing the squared Weil and 
Tate pairings on elliptic curves and the squared Tate pairing on hyper- 
elliptic curves. The squared pairings introduced in this paper have the 
advantage that our algorithms for evaluating them are deterministic and 
do not depend on a random choice of points. Our algorithm to evaluate 
the squared Weil pairing is about 20% more efficient than the stan- 
dard Weil pairing. Our algorithm for the squared Tate pairing on elliptic 
curves matches the efficiency of the algorithm given by Barreto, Lynn, 
and Scott in the case of arbitrary base points where their denominator 
cancellation technique does not apply. Our algorithm for the squared 
Tate pairing for hyperelliptic curves is the first detailed implementation 
of the pairing for general hyperelliptic curves of genus 2, and saves an 
estimated 30% over the standard algorithm. 



1 Introduction 

The Weil and Tate pairings have been proposed for use in cryptography, includ- 
ing one-round 3-way key establishment, identity-based encryption, and short 
signatures 9 . For a fixed positive integer to, the Weil pairing Cm is a bilinear 
map that sends two TO-torsion points on an elliptic curve to an mth root of unity 
in the field. For elliptic curves, the Weil pairing is a quotient of two applications 
of the Tate pairing, except that the Tate pairing needs an exponentiation which 
the Weil pairing omits. 

For cryptographic applications, the objective is a bilinear map with a specific 
recipe for efficient evaluation, and no clear way to invert. The Weil and Tate 
pairings provide such tools. Each pairing has a practical definition which involves 
finding functions with prescribed zeros and poles on the curve, and evaluating 
those functions at pairs of points. 

For elliptic curves. Miller ^U] gave an algorithm for the Weil pairing. (See also 
the Appendix B to 0, for a probabilistic implementation of Miller's algorithm 
which recursively generates and evaluates the required functions based on a 
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random choice of points.) For Jacobians of hyperelliptic curves, Frey and Riick 
gave a recursive algorithm to generate the required functions, assuming the 
knowledge of intermediate functions having prescribed zeros and poles. 

For elliptic curves, we present an improved algorithm for computing the 
sgwared Weil pairing, em(P, Q)^. Our deterministic algorithm does not depend 
on a random choice of points for evaluation of the pairing. Our algorithm saves 
about 20% over the standard implementation of the Weil pairing fS] . We use this 
idea to obtain an improved algorithm for computing the squared Tate pairing 
for elliptic and hyperelliptic curves. The Tate pairing is already more efficient to 
implement than the Weil pairing. Our new squared Tate pairing is more efficient 
than Miller's algorithm for the Tate pairing for elliptic curves, for another 20% 
saving. For pairings on special families of elliptic curves in characteristics 2 
and 3, some implementation improvements were given in ^ and Another 
deterministic algorithm was given in 1 . In 2 , an algorithm for the pairing on 
ordinary elliptic curves in arbitrary characteristic is given. Our squared pairing 
matches the efficiency of the algorithm in 2 in the case of arbitrary base points 
where their denominator cancellation technique does not apply. 

For hyperelliptic curves, we use Cantor's algorithm to produce the interme- 
diate functions assumed by Frey and Riick. We define a squared Tate pairing for 
hyperelliptic curves, and use the knowledge of these intermediate functions to 
implement the pairing and give an example. Our analysis shows that using the 
squared Tate pairing saves roughly 30% over the standard Tate pairing for genus 
2 curves. Our algorithm for the pairing on hyperelliptic curves can be thought 
of as a partial generalization of the Barreto-Lynn-Scott algorithm for elliptic 
curves in the sense that we give a deterministic algorithm which is more efficient 
to evaluate than the standard one. It remains to be seen whether some denom- 
inator cancellation can also be achieved in the hyperelliptic case by choosing 
base points of a special form as was done for elliptic curves in For a special 
family of hyperelliptic curves, Duursma and Lee have given a closed formula for 
the pairing in (5j, but ours is the first algorithm for the Tate pairing on general 
hyperelliptic curves, and we have implemented the genus 2 case. The squared 
Weil pairing or the squared Tate pairing can be substituted for the Weil or Tate 
pairing in many of the above cryptographic applications. 

The paper is organized as follows. Section |21 provides background on the Weil 
pairing for elliptic curves and gives the algorithm for computing the squared Weil 
pairing. Section O does the same for the squared Tate pairing for elliptic curves. 
Section 0] presents the squared Tate pairing for hyperelliptic curves and shows 
how to implement it. Section gives an example of the hyperelliptic pairing. 

2 Weil pairings for elliptic curves 
2.1 Definition of the Weil pairing 

Let E be an elliptic curve over a finite field Fg. In the following O denotes the 
point at infinity on E. If P is a point on E, then x{P) and y{P) denote the 
rational functions mapping P to its affine x- and ^/-coordinates. 



Let m be a positive integer. We will use the Weil pairing em(-, •) definition 
in ^2 p. 107]. To compute em{P,Q), given two distinct rn-torsion points P 
and Q on E over an extension field, pick two divisors Ap and Aq which are 
equivalent to (F) — (O) and (Q) — (O), respectively, and such that Ap and Aq 
have disjoint support. Let /^j, be a function on E whose divisor of zeros and 
poles is {Jap) = tn ■ Ap. Similarly, let fjiq be a function on E whose divisor of 
zeros and poles is (/^q) — m ■ Aq. Then 

JAq [Ap) 



2.2 Rational functions needed in the evaluation of the pairing 

Fix an integer m > and an m-torsion point P on an elliptic curve E. Let Ap 
be a divisor equivalent to (P) — (O). For a positive integer j, let fj.Ap be a 
rational function on E with divisor 

{UAp)^jAp-{jP) + iO) 

This means that fj^Ap has j-fold zeros and poles at the points in Ap, as well 
as a simple pole at jP and a simple zero at O, and no other zeros or poles. 
Since mP — O, it follows that fm,Ap has divisor mAp, so in fact Jap = fm.Ap- 
Throughout the paper the notation /j.p will be used to denote the function fj^Ap 
with Ap = (P) - (O). 

Silverman 11, Cor. 3.5, p. 67] shows that these functions exist. Each fi.Ap is 
unique up to a nonzero multiplicative scalar. Miller's algorithm gives an iterative 
construction of these functions (see for example 1). The construction of Ji^Ap 
depends on Ap. Given fi,Ap and fj,Api one constructs fi+j^Ap the product 

fi+j,Ap = fi,Ap ■ f],Ap ■ -^—^ — • (1) 
9(i+j)P 

Here the notation guy (two subscripts) denotes the line passing through the 
points U and V on E. The notation gu (one subscript) denotes the vertical line 
through U and —U. For more details on efficiently computing fm,Ap, see [H]. 



2.3 Squared Weil pairing for elliptic curves 

The purpose of this section is to construct a new pairing, which we call the 
'squared Weil pairing', and which has the advantage of being more efficient to 
compute than Miller's algorithm for the original Weil pairing. Our algorithm also 
has the advantage that it is guaranteed to output the correct answer and does 
not depend on inputting a randomly chosen point. In contrast Miller's algorithm 
may restart, since the randomly chosen point can cause the algorithm to fail. 



2.4 Algorithm for em{P,Qy 



Fix a positive integer m and the curve E. Given two m-torsion points P and Q 
on E, we want to compute em(P, Q)^- Start with an addition-subtraction chain 
for m. That is, after an initial 1, every clement in the chain is a sum or difference 
of two earlier elements, until an m appears. Well-known techniques give a chain 
of length 0(log(m)). For each j in the addition-subtraction chain, form a tuple 
tj = [jP, jQ, rij, dj] such that 

foA-Q) fi,Q{py ^' 

Start with ti = [P, Q, 1, 1]. Given tj and tk, this procedure gets tj+k- 



1. Form the elliptic curve sums jP + kP = 

2. Find coefficients of the line gjp^kp{X) = 

3. Find coefficients of the line gjQ,kQ{X) = 

4. Set 



(j + k)P and jQ + kQ = {j + k)Q. 
Co + cix{X) + C2y{X). 
c'o + c[x{X) + c'^y{X). 



Uj+k = UjUkico + cix{Q) + c2y{Q)) (cq + c\x{P) - c^yiP)) 
dj+k = djdk{co + cix{Q) - C2y{Q)) (cg + c'^x{P) + c'^yiP)). 

A similar construction gives tj-k from tj and tk- The vertical lines through 
{j + k)P and [j + k)Q do not appear in the formulae for rij+k and dj+fe, because 
the contributions from Q and —Q (or from P and —P) are equal. When j+k = m, 
this simplifies to nj+k = njUk and dj+k = djdk, since C2 and C2 will be zero. 
When n„i and d„i are nonzero, then the computation 

rim _ fm,p{Q) fm,Q{~'P) 
dm fm,p{-Q) fm,Q{P) 

has been successful, and we have the correct output. If, however, Tim dm is 
zero, then some factor such as cq + c\x{Q) + c^yiQ) must have vanished. That 
line was chosen to pass through jP, kP, and (—7 — for some j and k. It 
does not vanish at any other point on the elliptic curve. Therefore this factor 
can vanish only if Q = jP or Q = kP or Q = {—j — k)P. In all of these cases Q 
will be a multiple of P, ensuring em{P, Q) = 1- 



2.5 Correctness proof 

Theorem 1 (Squared Weil Pairing Formula). Let m be a positive integer. 
Suppose P and Q are m-torsion points on E, with neither being the identity and 
P not equal to ±Q. Then the squared Weil pairing satisfies 

fm,p{Q) ■ fm,Q{ — P) _ , -|-,T» (U n\'^ 
fmA-Q)-fm,Q{P)~^ ' ™^ '^^ • 



Proof. Let Ri, i?2 be points on E such that the divisors Ap := (P + i?i) — (Ri) 
and := ((5 + _R2) — (^2) have disjoint support. Let A-q := (— Q + -R2) — (^2)- 
Let fj[p and /^^ be as above. Then 

.p^, /^p((Q + i?2)-(i?2)) _ /^p(Q + i?2) 



Let g(X) = /™,p(X - Then (.9) = m(P + Ri) ~ m{Ri) = m^p = (/^p), 
This imphes g(X)//^p(X) is constant and 

fAp{Q + R2) .g(Q + i?2) frnAQ + R2 ~ Rl) 



fAp{R2) g{R2) UAR2-R1) 

Similarly 

fAQ{Rl) _ /™.Q(i?l - i?2) 



Plugging these into Miller's formula gives 

fm,p{Q + R2 — Rl) f77i,Q{Ri — R2) 



em{P,Q) 



fm.p{R2 — Rl) f7n,Q{P + Rl — R2) 

Using the same argument for em{P, —Q) we obtain 

fm,p{~Q + R2 ~ Rl) fm,-Q{Rl — R2) 



.{P, -Q) = 



frn,p{R2—Rl) fm,-Q{P + Rl — R2) 

_ .fm.p{ — Q + R2 ~ Rl) fm,Q{~'Rl + R2) 

.fm,p{R2 Rl) fm,Q{ — P — Rl+R2) 

Hence we can simplify em{P, Q)^ to 

em{P,Q) ^ frnAQ + R2 - Rl) f,n..Q{Rl - R2) fm.Q{-P - Rl + R2) 
em{P, -Q) fmA-Q + R2 - Rl) /m,Q(-(i?l " R2)) fm,Q{P + ^1 " -^2) ' 

Let R := R2 — Rl- This equation becomes 

fr.r.^2_ f^AQ + R) U,q{~R) U,q{-p + R) 

Fix two linearly independent m-torsion points P and Q. The right side of ^ 
is a rational function of R; call it "0 = '4'{R)- Since fm,p can have zeros and 
poles only at P and O, and /m,Q can have zeros and poles only at Q and O, this 
function 'ip{R) can have zeros or poles only at i? = — Q, Q, P — Q, P + Q, P, and 
O. By looking at the factors of ip we can check that at each of these points, the 
value of ip{R) is well-defined, because the zeros and poles cancel each other out. 
Since '0 is a rational function on an elliptic curve which does not have any zeros 
or poles, must be constant. Since for certain values of R, 4'{R) = SmiP, Q)^, 



this must be the case for all values of R. Hence we may in particular choose 
R = O, or equivalently i?i = i?2- So let Ri = i?,2. By Lemma Q] below, 



fm.QjRl - R2) ^ ('_-l^n^ 
frn.Q{-{Rl-R2)) ^ ' ' 

and by assumption fm.p does not have a zero or pole at Q and fm,Q does not 
have a zero or pole at P. Hence expression Q simplifies to 

e™(P, Qf = (-1)" (4) 

Lemma 1. Let f : E ^ ¥q be a rational function on E with a zero of order 
m (or a pole of order —m) at O. Define g : E ^ ¥q by g{X) — f{X)/f{—X). 
Then g{0) is finite and g{0) = (-1)™. 

Proof. The rational function h{X) — x{X)/y{X) has a zero of order f at X = O. 
The function /i — f /h™ has neither a pole nor a zero a,t X ~ O, so /i(0) is 
finite and nonzero. We check that the rational function (l>{X) — h{X)/h{—X) 
has no zeros and poles on E. Hence </) is constant. By computing (l>{X) for a 
finite point X = {x, y) on E with x, y ^ 0, we see that (p is equal to —1. Hence 

n(Y^ /(-^) Hxrfijx) f,{x) f,{x) 



fi-X) ' f,i-x) ' ' f,{-x) 

and 5(0) = (-1)™. 



2.6 Estimated savings 

In this section we compare our algorithm for the squared Weil pairing to Miller's 
algorithm for the Weil pairing. We count operations in the underlying finite 
field, counting field squarings as field multiplications throughout. This analysis 
assumes that we use the short Weierstrass form for the elliptic curve E. 

In practice, some of these arithmetic operations may be over a base field 
and others over an extension field. That issue is discussed in more detail in [H]. 
Without knowing the precise context of the application, we don't distinguish 
these, although individual costs may diff'er considerably. 



Miller's algorithm. Miller's algorithm chooses two points R2 on E, and 
lets Ap (P + Ri) - (Ri) and Aq = (P + i?2) - (^2)- Recall that in the notation 
of Section ITTl fj,p is a function whose divisor is mAp. As in Section let 
fj.Ap be a function with divisor (fj^Ap) ~ j{P + Ri) ^j{Ri) ~ {jP) + (O)- This 
is the function fj in the notation of 3, p. 611f.]. Then fm,Ap = fAp- As pointed 
out in Equation (B.l) of ^ p. 612], ^ leads to the recurrence 

f.+,,Ap{AQ) = f.^ApiAg) ■ f,^Ap{AQ) ■ '^''''''^ffy (5) 



During the computations, each fj,Ap{-^Q) is a known field element, unlike 
the unevaluated functions fj^Ap- Since Aq has degree 0, the value of fj,Ap{-^Q) 
is unambiguous, whereas fj^Ap is defined only up to a multiplicative scalar. 

To compute the Weil pairing we need 

.p^. /.Ap(Q + i?2) fA^iRl) _ fm.ApiQ + R2) U,Aq{Ri) 



fAp{R2) fAqiP + Rl) fm,Ap{R2) fm,AQ[P + Rl) 

For integers j in an addition-subtraction chain for m, we will construct a tuple 
= [jPi jQi "-J 7 dj] where Uj and dj satisfy 

_ f],Ap{Q + R2) fj^AqiRl) 



dj fj,ApiR2) fj^Ac^iP + RlY 

To compute i^+j from ti and tj, one uses the above recurrence (O to derive the 
following expression for nt+j/di+j: 

n.,+j _ Uj giP.jpjQ + -^2) 9(i+j}p{R2) 

h) 

(6) 



di+j di dj giP,]p{R2) g{i+j)p{Q + R2) 

9tQ.jQ{Ri) 9(i+j)Q{P + Ri) 



9iQ^]Q{P + Ri) 9{t+j)QiRi) 

To evaluate, for example, giP.jp{Q + R2) / 9iP.jp(R2), start with the elliptic curve 
addition iP+jP = {i+j)P. This costs 1 field division and 2 field multiplications 
in the generic case where iP and jP have distinct a;-coordinates and neither is 
O. Save the slope A of the line g.iP.jp{X) = y{X) - y{iP) - \{x{X) - x{iP)) 
through iP and jP. Two field multiplications suffice to evaluate gipjp{Q + R2) 
and giPjp{R2) given Q + R2 and i?2- No more field multiplications or divisions 
are needed to compute the numerator and denominator of 

g(^+J)p{R2) X{R2) - X{{i + ])P) 



g(^+J)p{Q + R2) X{Q + R2) - X{{l + j)P) 

Repeat this once more to evaluate the last two fractions in © . Overall these 
evaluations cost 8 field multiplications and 2 field divisions. We need 10 multi- 
plications to multiply the six fractions, for an overall cost of 18 multiplications 
and 2 divisions. 



Squared pairing. The squared pairing needs rim/'^m where rij/dj is given 
by ^ . The recurrence formula is 

^rh nj_ giPjpjQ) g{i+])p{-Q) giQjQj-P) 9{t+])Q(P) ^j-^ 

d^+j dj 9iP,jp(-Q) g(t+j)p{Q) gtQ,jQ{P) g(i+])Q{-P)' 

This time the update from ti — [iP, iQ^ rii, di] and tj to U^j needs 2 ellip- 
tic curve additions. Each elliptic curve addition needs 2 multiplications and 1 
division in the generic case. We can evaluate the numerator and denominator of 

g^p.Jp{Q) ^ yjQ) - yjiP) ~ \{x{Q) - xjiP)) 
g^p,Jp{'Q) y{~Q) - - H^i~Q) - x{iP)) 



with only 1 multiplication, since x{Q) = x{—Q). 

The fraction g(i+j)p{—Q) / g(i+j)p{Q) simplifies to 1 since g(^i^j-fp{X) depends 
only on x{X), not y{X). Overall 6 multiplications and 2 divisions suffice to eval- 
uate the numerators and denominators of the six fractions in Q . We multiply 
the four non-unit fractions with 6 field multiplications. 

Overall, the squared Weil pairing advances from ti and tj to ti^j with 12 
field multiplications and 2 field divisions in the generic case, compared to 18 
field multiplications and 2 field divisions for Miller's method. When i = j, each 
algorithm needs 2 additional field multiplications due to the elliptic curve dou- 
blings. Estimating a division as 5 multiplications, this is roughly a 20% savings. 

3 Squared Tate pairing for elliptic curves 
3.1 Squared Tate pairing formula 

Let m be a positive integer. Let E be defined over F^, where m divides q — 1. 
Let E{¥q)[m] denote the m-torsion points on E over ¥q. Assume P £ E{¥q)[m], 
and Q € E{¥q), with neither being the identity and P not equal to a multiple of 
Q. The Tate pairing (/)„j(P, Q) on E(¥q)[m] x E{¥q)/mE{¥q) is defined in ^ as 

with the notation and evaluation as for the Weil pairing above. Now we define 



Vm{P,Q) 



where fm,p is as above, and call the squared Tate pairing. To justify this 
terminology, we will show below that Vm{P, Q) — 4'm{P, Q)^- 



3.2 Algorithm for Vm{P, Q) 

Fix a positive integer m and the curve E. Given an m-torsion point P on E and 
a point Q on E, we want to compute Vm{P, Q)- As before, start with an addition- 
subtraction chain for m. For each j in the chain, form a tuple tj = [jP, rij, dj] 
such that 

ri3_ ^ fjAQ) /gN 

d, fM-QY ^' 

Start with ti = [P, 1, 1]. Given tj and tk, this procedure gets tj^k- 

1. Form the elliptic curve sum jP + kP = {j + k)P. 

2. Find the line gjp^kp{X) = cq + cix{X) + C2y{X). 

3. Set 



rij+k = rij ■ Uk ■ (co + cix{Q) + C2y{Q)) 
dj+k = dj ■ dk ■ (cq + cix{Q) - C2y{Q)). 



A similar construction gives tj^k from tj and tk- The vertical lines through 
(j + k)P and (j + k)Q do not appear in the formulae for nj+fe and rfj+fe, because 
the contributions from Q and —Q are equal. When j + k = m, one can further 
simplify this to rij^k = • and dj+fe = dj ■ dk, since C2 will be zero. When rim 
and d„i are nonzero, then the computation of ((SJ with j = m is successful, and 
after raising to the {q — l)/m power, we have the correct output. If some n„i or 
dm were zero, then some factor such as cq + cix{Q) +C2y{Q) must have vanished. 
That line was chosen to pass through jP, kP, and (— j — k)P, for some j and k. 
It does not vanish at any other point on the elliptic curve. Therefore this factor 
can vanish only if Q = jP or Q = kP or Q — {—j — k)P for some j and k. In 
all of these cases Q would be a multiple of P, contrary to our assumption. 



3.3 Correctness proof 

Theorem 2. Let m he a positive integer. Suppose P G E{¥q)[m] and Q G E{¥q) 
with neither being the identity and P ^ iQ. Then the squared Tate pairing is 



fmAQ) V"-'^'"- 



fm,p{-Q) 



Proof. Let Ri and i?2 be as in the proof of Theorem ^ The proof proceeds 
exactly as the correctness proof for the Weil pairing. The only difference is that 
the factor of (—1)™ is missing in the Tate pairing and so we have 

(p,n[P,Q) — - 



By the same argument as in the proof for the Weil pairing we may choose 
i?,2 = ^1: which gives us the desired formula. 



3.4 Estimated savings 

This analysis is almost identical to that for the Weil pairing in Section 12.61 
When analyzing Miller's algorithm for the Tate pairing, the main difference 
from Section ?TM is that the analog of 10 has 2 fewer fractions to evaluate and 
combine. An elliptic curve addition costs 1 division and 2 multiplications, while 
2 multiplications are needed to evaluate the numerators and denominators of 
the two fractions. Then 6 multiplications are needed to combine the numerators 
and denominators of the 4 fractions. Therefore each step of Miller's algorithm 
performing an addition costs 1 division and 10 multiplications. 

For the squared Tate pairing, the analog of also has 2 fewer fractions in 
it. An elliptic curve addition costs 1 division and 2 multiplications, while only 

1 multiplication is needed to evaluate the numerators and denominators of the 

2 fractions. Then 4 multiplications are needed to combine the numerators and 
denominators of the 3 non-unit fractions. Therefore each step of the squared Tate 
pairing algorithm performing an addition costs 1 division and 7 multiplications. 



Overall, the squared Tate pairing advances from ti and tj to t^+j with 7 
field multiplications and f field division in the generic case, compared to 10 field 
multiplications and 1 field division for Miller's method applied to the usual Tate 
pairing. When i = j, each algorithm needs one additional field multiplication 
due to the elliptic curve doubling. Estimating a division as 5 multiplications, 
this is roughly a 20% savings. 

Comparing our squared pairing to the algorithm from , the algorithms are 
equally efficient in the case of general base points, where there is no cancellation 
of denominators in their algorithm. In '7 , the authors show that if the security 
multiplier is even (k = 2d) and the x-coordinate of the base point Q lies in a 
subfield F^d, then the denominators in the Tate pairing evaluation disappear. 
This makes their method more efficient, but it is possible that adding this extra 
structure may weaken the system for cryptographic use. Also, in some situations, 
restricting to k even may not be desirable. 

4 Squared Tate pairing for hyperelliptic curves 

Let C be a hyperelliptic curve of genus g given by an affine model = /(x) 
with deg / = 2g + 1 over a finite field ¥q not of characteristic 2. The curve C has 
one point at infinity, which we will denote by Poo- Let J = J{C) be the Jacobian 
of C. If P = (x,y) is a point on C, then P' will denote the point P' := (x, —y). 
We denote the identity element of J by id. 

The Riemann-Roch theorem assures that each element D oi J contains a 
representative of the form A — gPoa, where A is an effective divisor of degree g. 
In addition, we will always work with semi-reduced representatives, which means 
that if a point P = (x, y) occurs in A then P' := (x, —y) does not occur elsewhere 
in A. The effective divisor representing the identity element id will be gPoo- For 
an element D of J and integer i, a representative for iD will be Ai — gPoo, where 
Ai is effective of degree g and semi-reduced. 

To a representative Ai — gPoo we associate two polynomials (a^, hi) which 
represent the divisor. The first polynomial, ai(x), is monic and has zeros at 
the x-coordinates of the points in the support of the divisor Ai. The second 
polynomial, bi{x), has degree less than deg (ai(x)), and the graph of y = hi[x) 
passes through the finite points in the support of the divisor Ai. 

4.1 Definition of the Tate pairing 

Fix a positive integer m and assume that Fg contains a primitive mth root of 
unity Cm. The Tate pairing, 0„ : J(F,)[m] x J(Fq)/mJ(F,) ^ F^/F*" ^ (C™), 
is defined in p. 871] explicitly as follows. Let D G J{¥q)[m] and E e J(Fg). 
Let hm,D be a function on C whose divisor is {hm^o) = rriD. Then 

(t>m{D,E) -.^hraME)^ £ (Cm)- 

This pairing is known to be well-defined, bilinear, and non-degenerate. The value 
hm,D{E) is defined only up to mth powers, so we raise the result to the power 



to eliminate all mth powers. Note that £^ is a divisor on the curve C, not 
an elliptic curve. We also assume that the support of E does not contain Poo 
and that E is prime to the Ai's. Actually E needs to be prime to only those 
representatives which will be used in the addition-subtraction chain for m, so to 
about logm divisors. 

Frey and Riick jjj pp. 872-873] show how to evaluate the Tate pairing on 
the Jacobian of a curve assuming an explicit reduction algorithm for divisors 
on a curve. Cantor 4. gives such an algorithm for hyperelliptic curves when the 
degree of / is odd. In Section ^31 below, we use Cantor's algorithm to explicitly 
compute the necessary intermediate functions. These functions will be used to 
evaluate the squared Tate pairing, but they could just as well be used to evaluate 
the usual Tate pairing. 



4.2 Squared Tate pairing Vm for hyperelliptic curves 

Theorem 3. Given an m-torsion element D of J and an element E of J , with 
representatives D = Pi + P2 + ■ ■ ■ + Pg — gPoo and E — Qi+Q2 + - ■ ■ + Qg— gPoo 
respectively, with Pi not equal to Qj or Q'j for any i,j define 

Vra{D, E) := {h,^,D{Qi - Q'l + Q2 - g'a + ■ • • + - Q'g)) ^"''^^"^ ■ 

Then v„i{D,E) = ±(j)„i{D, E)'^ where (j)„i{D,E) is the Tate pairing defined 
above. 

Proof. Recall that if Pi = {x, y) is a point on C, then P{ is the point {x, —y). 
Similarly, ii D = Pi + P2 + ■ ■ ■ + Pg - gPoo, let D' = Pi + P^ + ■ ■ ■ + Pg - gP^o. 
For the proof, we will compute (p„i{'2D, 2E). 

Observe that E - E' ^ Qi - Q[ + Q2 - Q2 ^ h Qg - Qg 2£' in the 

Jacobian of C, since E + E' = {Qi + Q'l - 2Pao) + ■ ■ ■ + (Qg + Q'g - 2Poo) - id. 
Let /i„i,_D denote the rational function on C with divisor {hm,D) = mPi + • • • + 
mPg — 2gmPoo as above. Then the divisor of hm,D/hm,D' bas the form 



mPi — mP[ -(-••• + mPg — mP' 



5' 

so {h„i^D/hm,D') 2mD in the Jacobian. That means we can use hm,D/hm,D' 
to compute the pairing 0,„(2Z), 2E). If Q is any point on C, then we can see by 
comparing the divisors of the two functions that hm,D{Q) = c-Kn,D' {Q'), where 
c is a constant which does not depend on Q. 
Hence 

{2D 2E) - ' "'^^ - ^ ) \ _ I h,m,D{^ - E )^ 



h„,,D'{E~E')J \h^^D{E'-E) 



\2 



(g-l)/m 



= [h^ME~E') 
Since 0m(2D, 2E) = 'p.niD, E)-^, it follows that 

cf,UD, Ef = ±{h„,,D{Qi -Q'i + --- + Qg- Q;))('-')/" 



4.3 Functions needed in the evaluation of the pairings 



Let D be an m-torsion element of J. For a positive integer j, let hj jj denote a 
rational function on C with divisor 



Since D is an m-torsion element, we have that = gPoo, so the divisor of hm,D 
is {hm,D) = mAi — m ■ gPoo- Each hjjj is well-defined up to a multiplicative 
constant. 

Given positive divisors Ai and Aj, we can use Cantor's algorithm to find a 
positive divisor Aij^j and a function Uij with divisor equal to 

{ui.j) — Ai ^ Aj — AiJ^j — gPoo- 

We construct hj,j:){E) iteratively. For j = 1, let hi^n be 1. Suppose we have Ai, 
Aj, hi_D{E) and hj,£,{E). Let Ui^j be the above function on C. Then 



4.4 Algorithm to compute Vm{D, E) 

Let D and E be as above. Form an addition-subtraction chain for m. For each 
j in the chain we need to form a tuple tj — [Aj, Uj, dj] such that jD has 
representative Aj — 2Poo and 



Let ti = [Ai, 1, 1]. Given ti and tj, let (a,j, hi) and {aj, bj) be the polynomials 
corresponding to the divisors Ai and Aj. Do a composition step as in Cantor's 
algorithm to obtain (a, h) corresponding to Ai -\- Aj, without performing the 
reduction step. Let d(x) — gcd(ai(x), aj(x), bi{x) + hj(x)). The output polyno- 
mials a, b, and d depend on i and j, but we will omit the subscripts here for ease 
of notation. If d{x) — 1, then a{x) = ai{x)aj{x), and b{x) is the polynomial with 
deg(6) < deg(a) such that y — b{x) passes through the distinct finite points in 
the support of Ai and Aj. 

The reduction step described in p. 99] then replaces (a, b) by (a, b) where 
d ~ {f ~ b^)/a,b = —b (mod d) and deg(6) < deg(a). This reduction step is 
applied repeatedly until deg(a) < g. In the genus 2 situation, it follows from 01 
p. 99] that at most one reduction step is performed. 

Case i. If g = 2 and deg(a(a;)) > 2, a reduction step is performed. If we let 



(hj.D) - jAi - Aj - [j - l)gPoo. 



h,+j^D{E) = h,^D{E) ■ h,^D{E) ■ u^,,{E). 



a{x{P)) 



(9) 



b{x{P))+y(Py 



and 



v,,,{P)-d{x{P)), 



then (uij) = Ai + Aj — Ai^j — 2Pao, and 

u,,,(P) _ a{x{P)) b{x{P'))+y{P') d{x{P)) _ b{x{P')) + y{P') 
u^,j{P') a{x{P'))' b{x{P))+y{P) ' d{x{P')) b{x{P)) + y{P) ' 

Let 

n,+j := n, ■ Uj ■ (6 + y){Q'x) ■ (b + y){Q'2) 

d,+r-=d,-dj-{b + y){Qi)-{b + y){Q2). ^ ' 

There is no contribution from a in rti+j and di+j because the contributions from 
Qi and Q[ are equal. This improves the algorithm for the Tate pairing in [Jj. 

Case ii. li g = 2 and deg(a(a;)) < 2, then Ui,j{P) — d{x{P)). In this case we let 
Ui+j := rii ■ rij and di+j := di ■ dj. 

Case iii. Suppose g > 2.1i r reduction steps are needed, then to compute Uij, 
we obtain intermediate factors Vi J , one factor as in (jOj per reduction 

step. Then Uij will be the product Uij := v^^j ■ . . . ■ v\^^ ■ d{x{P)). 

Note: If we evaluate and di at intermediate steps then it is not enough to 
assume that the divisors D and E are coprime. Instead, E must also be coprime 
to Ai for all i which occur in the addition chain for m. One way to ensure 
this condition is to require that E and D be linearly independent and that the 
polynomial p(a;) in the pair {p(x), q(x)) representing E be irreducible. There are 
other ways possible to achieve this, like changing the addition chain for m. 

4.5 Estimated savings for genus 2 

Using a straightforward implementation of Cantor's algorithm, the total costs for 
doubling and addition on the Jacobian of a hyperelliptic curve of genus 2 in odd 
characteristic, C : y^ = f{x), where / has degree 5, are as follows. Doubling an 
element costs 34 multiplications and 2 inversions. Adding two distinct elements 
of J costs 26 multiplications and 2 inversions. More efficient implementations of 
the group law may alter the total impact of our algorithm. Different field multi- 
plication/inversion ratios and field sizes, as well as differing costs in an extension 
field will also affect the analysis, but these costs are chosen as representative for 
the purpose of estimating the savings. 

Analysis of standard algorithm Let D := Pi + P2 — 2Poo- Let R2, R3, 
Ra be four points on C such that Qi + Q2 ~ 2Poo ^ Ri + Ri — R3 — Ri in J. 
The algorithm in T computes U+j from ti and tj, where U = [Ai, rij, dj] and 

ni _ hj.pjRi) hj,D{R2) 
dj hjuiRz) hjj){R4) 
The expression for Ui+j/di+j becomes 

di+j di dj Ui^jiRs) Ui^jiRi) 



To form Ui_j, we have to perform an addition or doubling step to obtain Ai^j 
from Ai and Aj. This costs 34 muhiphcations and 2 inversions for a doubhng, 
26 muhiphcations and 2 inversions for an addition. Then 



MAP) = 



b{x{P))+y{P)' 



and to compute (rii^j, di^j), we need to evaluate Uij at four different points. 
Each evaluation of a{x{P)) costs 2 multiplications in a doubling step, 3 multi- 
plications in an addition step (square or product of monic quadratics). Evalua- 
tion of b(x{P)) (cubic) costs 3 multiplications. Finally we multiply the partial 
numerators and denominators out, using 5 multiplications each, including the 
multiplications with n,;, rij, di, and dj. So the total cost for an addition step 
is 60 multiplications and 2 inversions, and the total cost for a doubling is 64 
multiplications and 2 inversions. 



Squared Tate pairing The squared Tate pairing works with the divisor Qi — 
Q'l + Q2 — Q2 ^ 2Qi + 2Q2 — iPoo- After adding Ai and Aj to obtain Ai^j as 
above, we need to form 

di+j di dj Uij{Q2) Wjj(Q2) 

As can be seen from (|1U|I above, no evaluations of a{x{P)) are needed. For i — 
1, 2, we need to evaluate b{x{Qi)) and b{x{Qi)). This costs only 3 multiplications 
for each i, since the ^-coordinates of Qi and Q'i are the same. Finally, we have 
to multiply the partial numerators and denominators, for a total cost of 12 
multiplications for either a doubling or an addition. 

So the total cost for an addition step is 38 multiplications and 2 inversions, 
and the total cost for a doubling is 46 multiplications and 2 inversions. Estimat- 
ing an inversion as 4 multiplications, this is a 25% improvement in the doubling 
case and a 33% improvement in the addition case. 



5 Example: g = 2, p = 31, m = 5 

In this section, we evaluate the squared Tate pairing on 5-torsion on the Jacobian 
of a hyperelliptic genus 2 curve over a field of 31 elements. Let C be defined by 
the affine model = f{x) where f{x) = x^ + 13x'* + 2x^ + 4x^ + llx + 1. 
The group of points on the Jacobian of C over F31 has order N = 1040. Let D 
be the 5-torsion element of the Jacobian of C given by the pair of polynomials 
D = [x^ + 23a; + 15, 13a; -I- 28]. Let E be the element of the Jacobian of C of 
order 260 given by the pair E — [x^ -f- 4a; -f 2, 29a; -I- 20]. Then the squared Tate 
pairing evaluated at D and E is V5{D, E) — 4, where 

^ _ (a; + 26)^(x'^ + 19x^ + 23x'^ + 16a; + 19){x'^ + 23a; + 15) 
~ a;3 + 6x^ + 9x + 21 + y ' 



To illustrate the bilinearity of the pairing, look for example at 2D = [x^ + 
25a; + 9, 10a; + 6], 3D = [x^ + 25a; + 9, 21x + 25], and 2E = [x^ + a; + 3, 26a; + 3]. 
Then we compute that indeed v^{2D, E) = 16 = v^{D, E)-^, with 

_{x + 26) (a;^ + 19a;-^ + 23.t;2 + 16a; + 19)^ {x^ + 25a; + 9) 
^'^^ ~ (x3 + 6x2 + + 21 + j/)2 ' 

and V5{D, 2E) = 16 = V5{D, E)'^, with h^^D as above. Also 

V5{3D,E) = 2 = V5{D,Ef (mod 31), 

with 

(x + 26)(x'' + 19x3 + 23x2 + 16x + 19)2(x2 + 25x + 9) 



/is. 



3D 



(30x3 + 25a;2 + 22x + 10 + y)^ 
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